◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • Who is the customer?
  • What is the customer’s mission?
  • When is the exercise/operation?
  • Where is the exercise/operation taking place?
  • Why is this network important?
  1. Methodology

Gather Information

Excerpt from "Hunt Methodology" By Christian B.

Introduction

In order to prepare for a blue team exercise we must first gather the necessary information. This process can take a lot of time depending on how cooperative your “customers” are, so be sure to start the information-gathering process as soon as you are aware of an upcoming exercise or operation. The easiest way to approach this process without forgetting anything is to apply the Five Ws Method.

Who is the customer?

Knowing who the customer is will help you answer a lot of questions. Being a military organization, most of the time we will be supporting a specific unit with a specific mission. We need to identify a Point of Contact (POC) for this mission as well. Most of the time, your best POC will be the Information System Security Officer (ISSO) for the command.

Every MSC will have an Information System Security Manager (ISSM) and every unit will have an ISSO. When an exercise or operation is being conducted, the exercise ISSO will be annotated in an Authorization to Operate (ATO) package. This package will generally be pushed up to the ISSM at the Marine Expeditionary Force (MEF). This is beneficial to know because the exercise ISSO will typically be on hand with the data administrators and is responsible for all traditional cyber security and reporting matters for that period of time, making them the perfect point of contact for the blue team.

So you know the unit, the mission owner, and you have a POC. Next, you need to know who the individuals are that are building and maintaining the network that you are defending. Knowing the administrators or Local Network Operators (LNO) and building a positive relationship with them will make your life easier during the exercise dates. This will also help you gain a better understanding of the knowledge and capability levels of the LNOs working on the network. Later, when you are making mitigation recommendations, this will be important to know because you never want to make a recommendation that is outside of the level of ability of the LNOs or that you can’t provide a walkthrough for.

What is the customer’s mission?

Understanding the mission of the unit or organization you are supporting will help you identify Key Terrain: Cyber (KTC) and prioritize your sensor placement and traffic collection. Understand that it is not your responsibility to identify KTC. What you think is important might not always be what the mission owner thinks is important to ensure that this question, as well as the question as to what systems they would consider to be KTC is asked. In the event that the customer does not know what their KTC is, use their mission to help them decide.

When is the exercise/operation?

You need to know the dates of the exercise or operation in order to support it, but there are other dates that you should be aware of. The Strap Exercise (STRAPEX) dates are important because the data administrators will be using this period to test their networking and functionality. This will be a great time to insert the blue team into the process and get your gear online. The STRAPEX period will enable you to ensure that your gear is functional, your sensors are placed correctly to gather the appropriate traffic, and get to know the data administrators.

Where is the exercise/operation taking place?

This is important for more reasons than just knowing where to be. You need to know what regions you are operating in because, in a real-world scenario or operation, the region can give you a good idea as to who the regional Advanced Persistent Threats (APT) are. You can use that information to gather Indicators of Compromise (IOC) to build dashboards for your sensors and also to know what sorts of things to look for.

Why is this network important?

This is more of an informational piece for the analysts. Everything that you know, your analysts should know. Understanding why the network is important to the mission will give the analysts a sense of purpose and pride in their work. Staring at logs for 12 hours straight is a miserable process and a little bit of buy-in will go a long way.

PreviousOsQueryNextGather Documents

Last updated 2 years ago